Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA3YzktanFocS12cjN2
Remote Code Execution in markdown-pdf
Versions of markdown-pdf prior to 9.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize HTML code in markdown files. If markdown files with malicious HTML are converted to PDF, the resulting PDF file will execute any JavaScript code in the original markdown file. This may allow attackers to execute Remote Code.
Recommendation
Upgrade to version 9.0.0 or later.
Permalink: https://github.com/advisories/GHSA-p7c9-jqhq-vr3vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA3YzktanFocS12cjN2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 6 years ago
Updated: almost 2 years ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00052
EPSS Percentile: 0.22665
Identifiers: GHSA-p7c9-jqhq-vr3v, CVE-2018-3770
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-3770
- https://hackerone.com/reports/360727
- https://github.com/advisories/GHSA-p7c9-jqhq-vr3v
- https://www.npmjs.com/advisories/991
Affected Packages
npm:markdown-pdf
Dependent packages: 69Dependent repositories: 358
Downloads: 19,517 last month
Affected Version Ranges: < 9.0.0
Fixed in: 9.0.0
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 2.0.0, 2.1.0, 2.2.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0, 4.0.1, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 6.0.0, 7.0.0, 8.0.0, 8.1.0, 8.1.1
All unaffected versions: 9.0.0, 10.0.0, 11.0.0